PHP: htmlEntities() and Cross Site Scripting

When printing user input in an attribute of an HTML tag, the default configuration of htmlEntities() doesn’t protect you against Cross Site Scripting (XSS), when using single quotes to define the border of the tag’s attribute-value. XSS is then possible by injecting a single quote:

The ‘ENT_QUOTES’ option doesn’t protect you against JavaScript evaluation in certain tag’s attributes, like the ‘href’ attribute of the ‘a’ tag. When clicked on the link below, the given JavaScript will get executed: